Pete Finnigan's Oracle Security Forum
        (http://www.petefinnigan.com/forum/yabb/YaBB.cgi)
      

        Oracle Security >> Oracle Security >> Password security policies
        
(Message started by: Pete Finnigan on Nov 21st, 2005, 7:28pm)
Title: Password security policies
Post by Pete Finnigan on Nov 21st, 2005, 7:28pm
Hi,

I want to share the following poll with you. At  DBA-Village (http://www.dba-village.com/village/dvp_base.main), they asked the following question:

Quote:
What are the password security policies in your production databases?

No policies, nothing verified, security is not an issue 24%
Checked this manually once or a few times       18%
Checked and no new users or changed passwords since then 9 %
Regular checks, manually                      19%
Strong (password verification function, automatic check scripts, ...) 30 %
There are 513 responses so far

See http://www.dba-village.com/village/dvp_poll.ShowDetail?QIdA=133

So from the 513 reponses 24% (123)  don't have a password policy and, according with the question, they consider security not an issue!
Maybe the question is misleading. Maybe some sites don't have a password policy (Oracle 7 !?)  but this doesn't mean they don't  find security important.
Anyway, 30% do have a password policy and this I find not very high. Or am I wrong?
We are pressing Oracle all the time to improve their security features but it seems that  a great deal of the customers (us) don't care for them. I don't base this opinion just on the DBA-V poll but on what I read daily on comp.database.oracle.server , the OTN security forum and other sites. Security is still an after-thought .
Laws and regulations like SOX will change things but not everywhere. In the USA and some parts of Europa SOX is relevant but not for the rest of the world .
Pete has advocated for an open security standard for Oracle and I think he is right.   I don't expect that a security standard will automagically solve all security risks but at least people will have a starting point and will be forced to think about the risks.

Ivan
Title: Re: Password security policies
Post by Pete Finnigan on Nov 22nd, 2005, 5:07pm
Hi Ivan,

Thanks for posting this. I read DBA-village most weeks from the newsletter that comes out but i did not see this yet. To be honest I am not surprised that the interest in password policies and security of databases in general is not very high. I find this all the time but it is changing, slowly.:-)

Forums like this and OTN are good places to make some noise about Oracle security and also to ask for new features. I was told that people in Oracle read my blog and sometimes take notice. If we keeop asking enough times it will improve )the security that is)

cheers

Pete


Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board